jetify-com
diff --git a/‎go.mod‎
Lines changed: 5 additions & 0 deletions b/‎go.mod‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 9 additions & 1 deletion b/‎go.sum‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎internal/auth/auth.go‎
Lines changed: 305 additions & 0 deletions b/‎internal/auth/auth.go‎
Lines changed: 305 additions & 0 deletions
@@ -6,6 +6,7 @@ require (
 	cuelang.org/go v0.4.3
 	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
+	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/a8m/envsubst v1.4.2
 	github.com/alessio/shellescape v1.4.1
 	github.com/bmatcuk/doublestar/v4 v4.6.0
@@ -17,12 +18,14 @@ require (
 	github.com/fatih/color v1.15.0
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/getsentry/sentry-go v0.20.0
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-envparse v0.1.0
 	github.com/mattn/go-isatty v0.0.18
 	github.com/mholt/archiver/v4 v4.0.0-alpha.7
 	github.com/pelletier/go-toml/v2 v2.0.7
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
 	github.com/pkg/errors v0.9.1
 	github.com/rogpeppe/go-internal v1.10.0
 	github.com/samber/lo v1.38.1
@@ -36,6 +39,8 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 )
 
+require github.com/lib/pq v1.10.7 // indirect
+
 require (
 	github.com/InVisionApp/go-health/v2 v2.1.3 // indirect
 	github.com/InVisionApp/go-logger v1.0.1 // indirect
 
@@ -10,6 +10,8 @@ github.com/InVisionApp/go-logger v1.0.1 h1:WFL19PViM1mHUmUWfsv5zMo379KSWj2MRmBlz
 github.com/InVisionApp/go-logger v1.0.1/go.mod h1:+cGTDSn+P8105aZkeOfIhdd7vFO5X1afUHcjvanY0L8=
 github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A=
 github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM=
+github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
+github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
@@ -68,6 +70,8 @@ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxI
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
 github.com/go-redis/redis v6.15.5+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
@@ -97,7 +101,8 @@ github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQ
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -125,6 +130,8 @@ github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha
 github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
 github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -185,6 +192,7 @@ golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
@@ -0,0 +1,305 @@
+// Copyright 2023 Jetpack Technologies Inc and contributors. All rights reserved.
+// Use of this source code is governed by the license in the LICENSE file.
+
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/pkg/browser"
+	"github.com/pkg/errors"
+	"go.jetpack.io/devbox/internal/boxcli/usererr"
+	"go.jetpack.io/devbox/internal/xdg"
+)
+
+const additionalSleepOnSlowDown = 1
+
+type codeResponse struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+}
+
+type tokenSet struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+// used for both requestToken and refreshToken functions
+type requestTokenError struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+}
+
+// showVerificationURL presents a device flow verification URL to the user,
+// either by printing it to stdout or opening a web browser.
+func (a *Authenticator) showVerificationURL(url string, w io.Writer) {
+	err := browser.OpenURL(url)
+	if err == nil {
+		fmt.Fprintf(w, "Opening your browser to complete the login. "+
+			"If your browser didn't open, you can go to this URL "+
+			"and confirm your code manually:\n%s\n\n", url)
+		return
+	}
+	fmt.Fprintf(
+		w,
+		"Please go to this URL to confirm this code and login: %s\n\n", url)
+}
+
+// requestDeviceCode requests a device code that the user can use to
+// authorize the device.
+func (a *Authenticator) requestDeviceCode() (*codeResponse, error) {
+	reqURL := fmt.Sprintf("https://%s/oauth/device/code", a.Domain)
+	payload := strings.NewReader(fmt.Sprintf(
+		"client_id=%s&scope=%s&audience=%s",
+		a.ClientID,
+		url.QueryEscape(a.Scope),
+		a.Audience,
+	))
+
+	req, err := http.NewRequest(http.MethodPost, reqURL, payload)
+	if err != nil {
+		bytesPayload, _ := io.ReadAll(payload)
+		return nil, errors.Wrapf(
+			err,
+			"failed to send request to URL: %s with payload: %s",
+			reqURL,
+			string(bytesPayload),
+		)
+	}
+
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to send Request")
+	}
+
+	defer res.Body.Close()
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read response body")
+	}
+
+	if res.StatusCode != http.StatusOK {
+		return nil, errors.Errorf(
+			"got status code: %d, with body %s",
+			res.StatusCode,
+			string(body),
+		)
+	}
+
+	response := codeResponse{}
+	return &response, json.Unmarshal(body, &response)
+}
+
+// requestTokens polls the Auth0 API for tokens.
+func (a *Authenticator) requestTokens(
+	ctx context.Context,
+	codeResponse *codeResponse,
+) (*tokenSet, error) {
+
+	timeToSleep := codeResponse.Interval
+	ticker := time.NewTicker(time.Duration(timeToSleep) * time.Second)
+	defer ticker.Stop()
+
+	// numTries is a counter to guard against infinite looping.
+	// In the normal course:
+	//    Status Code 200 OK: we early return within loop
+	//    Known Error scenarios: we continue looping and requesting Auth0 API.
+	//       These are not "errors" so much as "user hasn't yet completed
+	//       browser login flow"
+	//    Unknown Error scenarios: we early return within loop
+
+	for numTries := 0; numTries < 100; numTries++ {
+		select {
+		case <-ctx.Done():
+			return nil, errors.WithStack(ctx.Err())
+
+		case <-ticker.C:
+			res, err := a.tryRequestToken(codeResponse)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			defer res.Body.Close()
+			body, err := io.ReadAll(res.Body)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+
+			// Handle success
+			if res.StatusCode == http.StatusOK {
+				tokens := tokenSet{}
+				return &tokens, json.Unmarshal(body, &tokens)
+			}
+
+			// Handle failure scenarios
+			moreSleep, err := handleFailure(body, res.StatusCode)
+			if err != nil {
+				return nil, errors.WithStack(err)
+			}
+			timeToSleep += moreSleep
+			ticker.Reset(time.Duration(timeToSleep) * time.Second)
+		}
+	}
+
+	return nil, usererr.New("max number of tries exceeded")
+}
+
+func (a *Authenticator) doRefreshToken(
+	refreshToken string,
+) (*tokenSet, error) {
+
+	reqURL := fmt.Sprintf("https://%s/oauth/token", a.Domain)
+
+	payload := fmt.Sprintf(
+		"grant_type=refresh_token&client_id=%s&refresh_token=%s",
+		a.ClientID,
+		refreshToken,
+	)
+	payloadReader := strings.NewReader(payload)
+
+	req, err := http.NewRequest(http.MethodPost, reqURL, payloadReader)
+	if err != nil {
+		return nil, errors.Wrapf(
+			err,
+			"failed to create request to URL: %s, with payload: %s",
+			reqURL,
+			payload,
+		)
+	}
+
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, errors.Wrapf(
+			err,
+			"failed POST request to reqURL: %s, payload: %s ",
+			reqURL,
+			payload,
+		)
+	}
+
+	defer res.Body.Close()
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read response body")
+	}
+
+	if res.StatusCode == http.StatusOK {
+		tokens := &tokenSet{}
+		return tokens, json.Unmarshal(body, tokens)
+	}
+
+	tokenErrorBody := requestTokenError{}
+	if err := json.Unmarshal(body, &tokenErrorBody); err != nil {
+		return nil, errors.Wrapf(
+			err,
+			"unable to unmarshal requestTokenError from body %s",
+			body,
+		)
+	}
+	return nil, errors.Errorf(
+		"refreshing access token returned an error (%s) with description: %s",
+		tokenErrorBody.Error,
+		tokenErrorBody.ErrorDescription,
+	)
+}
+
+func (a *Authenticator) tryRequestToken(
+	codeResponse *codeResponse,
+) (*http.Response, error) {
+	reqURL := fmt.Sprintf("https://%s/oauth/token", a.Domain)
+
+	grantType := "urn:ietf:params:oauth:grant-type:device_code"
+	payload := strings.NewReader(fmt.Sprintf(
+		"grant_type=%s&device_code=%s&client_id=%s",
+		url.QueryEscape(grantType),
+		codeResponse.DeviceCode,
+		a.ClientID,
+	))
+
+	req, err := http.NewRequest(http.MethodPost, reqURL, payload)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	return http.DefaultClient.Do(req)
+}
+
+// handleFailure handles the failure scenarios for requestTokens.
+func handleFailure(body []byte, code int) (int, error) {
+	tokenErrorBody := requestTokenError{}
+	if err := json.Unmarshal(body, &tokenErrorBody); err != nil {
+		return 0, errors.WithStack(err)
+	}
+
+	if code == http.StatusTooManyRequests {
+		if tokenErrorBody.Error != "slow_down" {
+			return 0, errors.Errorf(
+				"got status code: %d, response body: %s",
+				code,
+				body,
+			)
+		}
+
+		return additionalSleepOnSlowDown, nil
+
+	} else if code == http.StatusForbidden {
+
+		// this error is received when waiting for user to take action
+		// when they are logging in via browser. Continue polling.
+		if tokenErrorBody.Error != "authorization_pending" {
+			return 0, errors.Errorf(
+				"got status code: %d, response body: %s",
+				code,
+				body,
+			)
+		}
+
+		return 0, nil // No slowdown, just keep trying
+	}
+	// The user has not authorized the device quickly enough, so
+	// the `device_code` has expired. Notify the user that the
+	// flow has expired and prompt them to re-initiate the flow.
+	// The "expired_token" is returned exactly once. After that,
+	// the dreaded "invalid_grant" will be returned and device
+	// must stop polling.
+	if tokenErrorBody.Error == "expired_token" || tokenErrorBody.Error == "invalid_grant" {
+		return 0, usererr.New(
+			"The device code has expired. Please try `devbox auth login` again.")
+	}
+
+	// "access_denied" can be received for:
+	// 1. user refused to authorize the device.
+	// 2. Auth server denied the transaction.
+	// 3. A configured Auth0 "rule" denied access
+	if tokenErrorBody.Error == "access_denied" {
+		return 0, usererr.New("Access was denied")
+	}
+
+	// Unknown error
+	return 0, usererr.New("Unable to login")
+}
+
+func getAuthFilePath() string {
+	return xdg.StateSubpath(filepath.FromSlash("devbox/auth.json"))
+}